PortalProtect is not able to detect application/executable files when they are embedded as an object inside a Microsoft Word/Excel file.
This is an expected scenario because the Attachment Blocking OLE Scan feature is disabled by default.
To resolve the issue, enable the Attachment Blocking OLE Scan feature:
- Open the Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PortalProtect\CurrentVersion.
- Modify/Create the following key:
Name: ABOLEScanLayer (to enable OLE Scan feature)
Type: Dword (32Bit Value)
Value: 0 – 20Where:
0: means disabled
1-20: means enabled & max scan layerExample:
ABOLEScanLayer = 1
- You can also specify the file types to be scanned for OLE:
- Add the registry below:
Path: [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PortalProtect\CurrentVersion]
Key: ABOLEContainerTypes (to specify file types to be Scanned for OLE)
Type: REG_SZ
Value: ";" separated VSAPI file types (e.g. 1;2;4)ABOLEContainerTypes, string, type ID list of VSAPI supported OLE container files. The default value is “1;2;4;30;4045;6015”:
1 = Word
2 = PowerPoint
4 = Excel
30 = Project
4045 = Office 2007 files
6015 = pdf - If you want to support a ZIP file as an OLE container file, add "4003" to ABOLEContainerTypes.
Example:
ABOLEContainerTypes=1;2;4;30;4045;6015;4003
- Restart PP_Master service.
- Add the registry below:
- It is necessary to enable "Block file types or names within compressed files" in the Attachment Blocking policy from the PortalProtect web UI for this to take effect.
By default, Attachment Blocking OLE Scan will check the following file types:
- Word
- Powerpoint
- Excel
- Project
- Office 2007 files
To customize which file types will be scanned, perform the following steps:
- In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PortalProtect\CurrentVersion
- Create the following key:
Name: ABOLEContainerTypes (to specify file types to be Scanned for OLE)
Type: REG_SZ
Value:Value File Type 1 Word 2 Powerpoint 4 Excel 30 Project 4045 Office 2007 files 6015 pdf Separate multiple values using semi-colon (;).